Chrome Extension Embeds In-Browser Monero Miner That Drains Your CPU

The authors of SafeBrowse, a Chrome extension with more than 140,000 users, have embedded a JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent.

The additional code drives CPU usage through the roof, making users computers sluggish and hard to use.

SafeBrowse uses same technology tested by The Pirate Bay

The intrusive and highly damaging behavior was noticed almost immediately, as the extension's Web Store page has filled up in the past few hours with negative reviews decrying the surge in CPU resource usage.

Looking at the SafeBrowse extension's source code, anyone can easily spot that its authors embedded the Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others.

At the time of writing, the Coinhive JavaScript Miner, as described on its website, only supports Monero mining.

The above code starts a process that runs at all times in the browser's background and mines for Moner using the user's resources, but for the profits of the SafeBrowse authors.

Affected users include anyone who installed the SafeBrowse extension. The version featuring the Coinhive miner is 3.2.25. Chrome extensions use an auto-update system, so most SafeBrowse users will be updated to this version in the coming hours and days.

The addition of the Coinhive JavaScript Miner to SafeBrowse comes after The Pirate Bay experimented with the same technology as an alternative to showing ads on its site. Users who visited The Pirate Bay last Saturday did not see ads on the site, but the portal loaded a JavaScript file in their browsers that mined Monero for the torrent portal's owners.

The same spike in CPU usage can be seen in Chrome's built-in Task Manager, showing the extension's process taking up over 60% of CPU resources.

The impact on our test computer was felt immediately. Task Manager itself froze and entered a Not Responding state seconds after installing the extension. The computer became sluggish, and the SafeBrowse Chrome extension continued to mine Monero at all times when the Chrome browser was up and running.

It is no wonder that users reacted with vitriol on the extension's review section. A Reddit user is currently trying to convince other users to report SafeBrowse as malware to the Chrome Web Store admins [1, 2].

Not the first time doing something shady

At the time of writing, the SafeBrowse extension was still available for download through the Web Store, and neither its privacy policy or official website mention anything about the recent update and the addition of the Coinhive code.

This is not the first time the extension was caught doing something shady. Back in November 2015, researchers from Detectify Labs found that SafeBrowse, along with many popular Chrome extensions, where loading analytics code without consent in order to track users across the web.

Bleeping Computer has reached out for comment to SafeBrowse. We will update the article with any statement the authors wish to make.

Unfortunately we have no knowledge, apparently has been a hack.I'm currently researching, I have already contacted the Google team.The extension has not received an update for months, so I do not know what it's all about.

While most users know how to remove a Chrome extensions, users who lack the technical skills and need help with removing the SafeBrowse extension can consult a guide we put together here.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Will have to look at the details more carefully - but it looks like another instance where Google's vetting process is inadequate.

There are pluses and minuses for users and developers with the Store/Play paradigm. While suitability, functionality and performance will be judged by the users; they should feel confident that what they load from that authorized source will not harm or steal from them (beyond the cost of a worthless product, if they decided to buy).

When the vendor-browser-store metric of success is based on quantity over quality, the incentive is to let everything through, and only look closer when someone (actually, a huge number of people), complains.